| View previous topic :: View next topic |
| Author |
Message |
gabrielg
Tux's lil' helper
Joined: 16 Nov 2012
Posts: 135
|
 Posted: Sat Nov 02, 2024 3:06 pm Post subject: Wireguard interface don't exist when nftables loads |
 |
|
Hi, all,
I'm looking for best practice advice regarding Wireguard and nftables. As the subject says: my nftables rules fail to load at boot time because the Wireguard interface is not yet up and running. Once the boot process completes, I can reload nftables and the system works correctly.
Some key details:
- I'm using wg-quick to set up the Wireguard interface
- Network management is done by netifrc
- I'm using OpenRC (I did try rc_need="wg-quick.interface" in /etc/conf.d/nftables but that caused an infinite loop)
Some more -perhaps irrelevant- details:
The reason why I need nftables rules on the Wireguard interface is that I have two systems connected by said Wireguard bridge that require to interact with one another on certain ports; one of such systems is connected to a network that has hosts that need to reach the remote system, for which I NAT such hosts on the Wireguard interface. Naturally, I'm using nftables to restrict which ports each host on the bridge can access and to masquerade the hosts on the network.
For now, the way in which I solved this is by a somewhat crude method: I have two nftables configurations that are identical except that the non default one adds the Wireguard interface definition and the associated rules. wg-quick loads the alternative set when it comes up and reloads the default set when it goes down. This approach has some drawbacks, therefore I'm here looking for better ideas.
Thanks!
Gabriel |
|
| Back to top |
|
 |
zen_desu
n00b
Joined: 25 Oct 2024
Posts: 10
|
| Posted: Sat Nov 02, 2024 3:33 pm Post subject: Re: Wireguard interface don't exist when nftables loads |
|
|
| gabrielg wrote: | Hi, all,
I'm looking for best practice advice regarding Wireguard and nftables. As the subject says: my nftables rules fail to load at boot time because the Wireguard interface is not yet up and running. Once the boot process completes, I can reload nftables and the system works correctly.
Some key details:
- I'm using wg-quick to set up the Wireguard interface
- Network management is done by netifrc
- I'm using OpenRC (I did try rc_need="wg-quick.interface" in /etc/conf.d/nftables but that caused an infinite loop)
Some more -perhaps irrelevant- details:
The reason why I need nftables rules on the Wireguard interface is that I have two systems connected by said Wireguard bridge that require to interact with one another on certain ports; one of such systems is connected to a network that has hosts that need to reach the remote system, for which I NAT such hosts on the Wireguard interface. Naturally, I'm using nftables to restrict which ports each host on the bridge can access and to masquerade the hosts on the network.
For now, the way in which I solved this is by a somewhat crude method: I have two nftables configurations that are identical except that the non default one adds the Wireguard interface definition and the associated rules. wg-quick loads the alternative set when it comes up and reloads the default set when it goes down. This approach has some drawbacks, therefore I'm here looking for better ideas.
Thanks!
Gabriel |
What do your nftables rules look like?
If you use "iif" or "oif" it required the interface to be present. If you use "iifname" or "oifname" the rules should not do anything until the interface is added, then they become active.
_________________
µgRD dev
Wiki writer |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
